Some hacks on the server

Support and Discussion General Discussion
1

Due to a sudden load spike on the server, I started to investigate and docker (traffmonetizer was running) and a binary for CPU mining was running and the processes were completely hidden. I’m sharing what I found. By the way, only HTTP/HTTPS traffic is open on the server and ports 8090/7080 are open to only one IP.

So do you have any ideas ?

OS: Ubuntu 20.04
Cyberpanel Version: 2.3.9

/etc/passwd
webadmin_cyberpanel:x:5004:5004::/home/webadmin_cyberpanel:/bin/bash

/etc/group
root:x:0:webadmin_cyberpanel sudo:x:27:ubuntu,webadmin_cyberpanel webadmin_cyberpanel:x:5004:

/home/cyberpanel/error-logs.txt

`[01.25.2025_09-27-49] upload file res total 48
drwxr-xr-x 3 lscpd lscpd 4096 Jan 25 09:27 .
drwxrwxrwt 45 root root 28672 Jan 25 09:27 …
-rw-r–r-- 1 lscpd lscpd 530 Jan 25 09:27 .rtreport
srwxrw---- 1 root lscpd 0 Jan 25 02:00 cgid.sock.889
srwxrw-rw- 1 lscpd lscpd 0 Jan 25 09:27 cyberpanel:_.sock.651
-rw-r–r-- 1 root root 5 Jan 25 02:00 lscpd.pid
drwx------ 2 lscpd lscpd 4096 Feb 19 2024 swap
useradd: user ‘webadmin_cyberpanel’ already exists
usermod: group ‘wheel’ does not exist
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

{}

[01.25.2025_14-03-01] Expecting value: line 1 column 1 (char 0)
[01.25.2025_14-03-04] upload file res crw-rw-rw- 1 root root 1, 3 Nov 28 11:47 /dev/null

[01.25.2025_14-03-04] Expecting value: line 1 column 1 (char 0)
[01.25.2025_14-03-08] upload file res crw-rw-rw- 1 root root 1, 3 Nov 28 11:47 /dev/null

[01.25.2025_14-03-12] Expecting value: line 1 column 1 (char 0)
[01.25.2025_14-03-16] upload file res crw-rw-rw- 1 root root 1, 3 Nov 28 11:47 /dev/null

[01.25.2025_14-03-16] Expecting value: line 1 column 1 (char 0)
[01.25.2025_14-06-00] upload file res crw-rw-rw- 1 root root 1, 3 Nov 28 11:47 /dev/null

[01.25.2025_14-07-17] Expecting value: line 1 column 1 (char 0)
[01.25.2025_14-07-21] upload file res crw-rw-rw- 1 root root 1, 3 Nov 28 11:47 /dev/null

[01.25.2025_14-07-21] Expecting value: line 1 column 1 (char 0)
[01.25.2025_14-07-26] upload file res crw-rw-rw- 1 root root 1, 3 Nov 28 11:47 /dev/null`

2

Interesting find, is it possible that you upgraded after the previous hack (happened few months ago)? I wouldn’t risk it and do clean reinstall.

3

File modification dates are January 25th. Everything has the new dates. When I first saw these I already started the steps for a new installation, (but without cyberpanel.) Just to make sure what it was from.